def test_selinux_status(): with mock.patch('selinux.is_selinux_enabled') as selinux_enabled,\ mock.patch('selinux.security_getenforce') as getenforce: selinux_enabled.return_value = 1 getenforce.return_value = 1 assert selinux_status() == {'enabled': True, 'mode': 'enforcing'} selinux_enabled.return_value = 1 getenforce.return_value = 0 assert selinux_status() == {'enabled': True, 'mode': 'permissive'} selinux_enabled.return_value = 0 assert selinux_status() == {'enabled': False, 'mode': None}
def send_ping(dev=False): can_read_cert() ping = mtls_request('get', 'ping', dev=dev, requester_name="Ping", log_on_ok=True) if ping is None or not ping.ok: logger.error('Ping failed.') return connections, ports = security_helper.netstat_scan() payload = { 'device_operating_system_version': platform.release(), 'fqdn': socket.getfqdn(), 'ipv4_address': get_primary_ip(), 'uptime': get_uptime(), 'agent_version': str(__version__), 'confinement': CONFINEMENT.name, 'installation': detect_installation().name } # Things we can't do within a Snap or Docker if CONFINEMENT not in (Confinement.SNAP, Confinement.DOCKER, Confinement.BALENA): payload.update({ 'processes': security_helper.process_scan(), 'logins': journal_helper.logins_last_hour(), 'default_password': security_helper.check_for_default_passwords(CONFIG_PATH) }) # Things we cannot do in Docker if CONFINEMENT not in (Confinement.DOCKER, Confinement.BALENA): blocklist = ping.json() iptables_helper.block(blocklist) payload.update({ 'selinux_status': security_helper.selinux_status(), 'app_armor_enabled': security_helper.is_app_armor_enabled(), 'firewall_rules': iptables_helper.dump(), 'scan_info': ports, 'netstat': connections }) rpi_metadata = rpi_helper.detect_raspberry_pi() if rpi_metadata['is_raspberry_pi']: payload.update({ 'device_manufacturer': 'Raspberry Pi', 'device_model': rpi_metadata['hardware_model'], }) logger.debug("[GATHER] POST Ping: {}".format(payload)) ping = mtls_request('post', 'ping', json=payload, dev=dev, requester_name="Ping", log_on_ok=True) if ping is None or not ping.ok: logger.error('Ping failed.') return
def send_ping(dev=False): can_read_cert() ping = mtls_request('get', 'ping', dev=dev, requester_name="Ping", log_on_ok=True) if ping is None or not ping.ok: logger.error('Ping failed.') return ping = ping.json() payload = { 'device_operating_system_version': platform.release(), 'fqdn': socket.getfqdn(), 'ipv4_address': get_primary_ip(), 'uptime': get_uptime(), 'agent_version': str(__version__), 'confinement': CONFINEMENT.name, 'cloud': detect_cloud().name, 'installation': detect_installation().name, 'os_release': get_os_release() } if CONFINEMENT != Confinement.SNAP: packages = get_packages() if ping.get('deb_packages_hash') != packages['hash']: payload['deb_packages'] = packages if CONFINEMENT in (Confinement.NONE, Confinement.SNAP): connections, ports = security_helper.netstat_scan() blocklist = ping iptables_helper.block(blocklist) payload.update({ 'processes': security_helper.process_scan(), 'logins': journal_helper.logins_last_hour(), 'firewall_rules': iptables_helper.dump(), 'scan_info': ports, 'netstat': connections, 'selinux_status': security_helper.selinux_status(), 'app_armor_enabled': security_helper.is_app_armor_enabled() }) if CONFINEMENT == Confinement.NONE: payload.update({ 'default_password_users': security_helper.check_for_default_passwords(CONFIG_PATH), 'audit_files': security_helper.audit_config_files(), 'auto_upgrades': auto_upgrades_enabled(), 'mysql_root_access': security_helper.mysql_root_access(), 'kernel_package': kernel_package_info(), 'reboot_required': reboot_required(), 'cpu': security_helper.cpu_vulnerabilities() }) rpi_metadata = detect_raspberry_pi() if rpi_metadata['is_raspberry_pi']: payload.update({ 'device_manufacturer': 'Raspberry Pi', 'device_model': rpi_metadata['hardware_model'], }) logger.debug("[GATHER] POST Ping: {}".format(payload)) ping = mtls_request('post', 'ping', json=payload, dev=dev, requester_name="Ping", log_on_ok=True) if ping is None or not ping.ok: logger.error('Ping failed.') return
def send_ping(debug=False, dev=False): can_read_cert() ping = requests.get('{}/v0.2/ping'.format(MTLS_ENDPOINT), cert=(CLIENT_CERT_PATH, CLIENT_KEY_PATH), headers={ 'SSL-CLIENT-SUBJECT-DN': 'CN=' + get_device_id(), 'SSL-CLIENT-VERIFY': 'SUCCESS' } if dev else {}) if debug: print("[RECEIVED] GET Ping: {}".format(ping.status_code)) print("[RECEIVED] GET Ping: {}".format(ping.content)) if not ping.ok: print('Ping failed.') return blocklist = ping.json() security_helper.block_ports( blocklist.get('block_ports', { 'tcp': [], 'udp': [] })) security_helper.block_networks(blocklist.get('block_networks', [])) connections, ports = security_helper.netstat_scan() payload = { 'device_operating_system_version': platform.release(), 'fqdn': socket.getfqdn(), 'ipv4_address': get_primary_ip(), 'uptime': get_uptime(), 'scan_info': ports, 'netstat': connections, 'processes': security_helper.process_scan(), 'firewall_enabled': security_helper.is_firewall_enabled(), 'firewall_rules': security_helper.get_firewall_rules(), 'selinux_status': security_helper.selinux_status(), 'app_armor_enabled': security_helper.is_app_armor_enabled(), 'logins': journal_helper.logins_last_hour(), 'default_password': security_helper.check_for_default_passwords(CONFIG_PATH), 'agent_version': __version__ } rpi_metadata = rpi_helper.detect_raspberry_pi() if rpi_metadata['is_raspberry_pi']: payload['device_manufacturer'] = 'Raspberry Pi' payload['device_model'] = rpi_metadata['hardware_model'] if debug: print("[GATHER] POST Ping: {}".format(payload)) ping = requests.post('{}/v0.2/ping'.format(MTLS_ENDPOINT), cert=(CLIENT_CERT_PATH, CLIENT_KEY_PATH), json=payload, headers={ 'SSL-CLIENT-SUBJECT-DN': 'CN=' + get_device_id(), 'SSL-CLIENT-VERIFY': 'SUCCESS' } if dev else {}) if debug: print("[RECEIVED] POST Ping: {}".format(ping.status_code)) print("[RECEIVED] POST Ping: {}".format(ping.content)) if not ping.ok: print('Ping failed.') return